Microsoft CA certificate templates expires sooner than expected

certificate certificate-authority ad-certificate-services

The certificates my Microsoft CA is generating do not match the time period indicated in the template used. How can I resolve this?

I recently created a new certificate template for use on my Linux boxes on my Microsoft CA (2008 R2 Enterprise). This template is approved for server and client authentication purposes with a validity period of 10 years - the expected lifetime of our Linux boxes - and the subject name supplied in the request. I have checked both the intermediate and offline CA - both have more than 10 years of life listed. The certificates are exactly two years.

Is there some kind of hard limit I'm hitting here?


Solution 1:

By default ADCS is set to issue certs for a maximum of 2 years (regardless of template or request).
To change that just run the following two commands (modify as desired):

certutil -setreg CA\ValidityPeriod "Years"
certutil -setreg CA\ValidityPeriodUnits 10

Then restart certificate services:

net stop  certsvc
net start certsvc

Related

AirPlay over unicast DNS-SD. Anyone got it working?
Why is visudo saying there's a syntax error?
tomcat6 on CentOS 6: cannot stop/restart service
Headset for phone calls in the datacenter
How do I prevent IIS 8 from stopping idle ASP.NET applications?
error reading keytab file krb5.keytab
iptables to drop for a while IPs with recently failed connections
SSL, CNAME, and multiple domains
Apache ServerAlias wildcard for domains (e.g. subdomain.*.com)
How to measure rate of new lines in file (log file)
Passing Arguments to a Service started with Init.d
dns requests for odd domain names like mAiL.myDOmAIn.De